Marriott Breach: Unencrypted Passport Numbers, Payment Cards Leaked
Marriott's mega-breach is somehow better, and worse.
- By Sydny Shepard
- Jan 09, 2019
Marriott International says its recently discovered mega-breach wasn't quite as bad as it first advertised. Marriott originally estimated that the breach exposed information of 500 million customers, but now believe only 383 million people were affected.
"We concluded with a fair degree of certainty that information for fewer than 383 million unique guests was involved, although the company is not able to quantify that lower number because of the nature of the data in the database," Marriott said in its revised data breach notification.
Marriott also says that its breach investigation now counts 25.6 million passport numbers being exposed in the breach, of which 5.25 million were unencrypted.
"There is no evidence that the unauthorized third party accessed the master encryption keys needed to decrypt the encrypted passport numbers," Marriott said, but that doesn't mean that the hackers couldn't later brute-force their way in.
Also exposed in the breach was approximately 8.6 million encrypted payment cards that were being stored by Marriott. If attackers were able to decrypt the card data, they could have been using the stolen card data since 2014 to commit fraud.
By the time the breach was discovered, Marriott said the majority of the payment cards were expired. Only 354,000 were still active as of September 2018. As with the passport data, Marriott has no reason to believe the third party accessed the encryption key needed to access the payment cards.
Back in December of 2018, the Marriott announced a breach of its Starwood guest reservation database. The information accessed included some combination of a name, mailing address, phone number, email, passport number, Starwood Preferred Guest account information, date of birth, gender, arrival and departure information, reservation data and communication preferences.
About the Author
Sydny Shepard is the Executive Editor of Campus Security & Life Safety.